And note that this syntax should be supported even in the public data
scenario.
/ Jonas
Jonas Sicking wrote:
>
> Please note that
>
> Access-Control-Allow-Origin: url
>
> is also allowed syntax. Where the url must contain only scheme, domain
> and host.
>
> So the following syntax is allowed:
> Access-Control-Allow-Origin: http://example.com
>
> It is somewhat unclear if the following syntaxes are allowed:
>
> Access-Control-Allow-Origin: http://example.com/
> Access-Control-Allow-Origin: http://example.com/?
> Access-Control-Allow-Origin: http://example.com/#
> Access-Control-Allow-Origin: http://example.com/;
>
>
> I think the first one should be ok, but not the other three.
>
> / Jonas
>
>
>
> Sunava Dutta wrote:
>> Access-Control-Allow-Origin: * seems to be the consensus for the
>> public scenario, please confirm.
>> On a less urgent note did we get any further traction on the
>> discussion on angle brackets for the URL specified scenario? The last
>> mail here seems to be on 7/21.
>>
>>
>>> -----Original Message-----
>>> From: Maciej Stachowiak [mailto:mjs@apple.com]
>>> Sent: Saturday, July 19, 2008 9:32 PM
>>> To: Jonas Sicking
>>> Cc: Sunava Dutta; annevk@opera.com; Sharath Udupa; Zhenbin Xu; Gideon
>>> Cohn; public-webapps@w3.org; IE8 Core AJAX SWAT Team
>>> Subject: Re: XDomainRequest Integration with AC
>>>
>>>
>>> On Jul 18, 2008, at 11:15 PM, Jonas Sicking wrote:
>>>
>>>> Maciej Stachowiak wrote:
>>>>> On Jul 18, 2008, at 4:20 PM, Sunava Dutta wrote:
>>>>>> I'm in time pressure to lock down the header names for Beta 2 to
>>>>>> integrate XDR with AC. It seems no body has objected to Jonas's
>>>>>> proposal. http://lists.w3.org/Archives/Public/public-
>>> webapps/2008JulSep/0175.html
>>>>>> Please let me know if this discussion is closed so we can make the
>>>>>> change.
>>>>> I think Anne's email represents the most recent agreement and I
>>>>> don't think anyone has objected:
>>> http://lists.w3.org/Archives/Public/public-webapps/2008JulSep/0142.html
>>>>> The change would be: Instead of checking for
>>>>> "XDomainRequestAllowed: 1" check for "Access-Control-Allow-Origin:
>>>>> *" or "Access-Control-Allow-Origin: url" where url matches what was
>>>>> sent in the Origin header.
>>>> So I have one final request for a change to the above syntax.
>>>>
>>>> How would people feel about the syntax
>>>>
>>>> Access-Control-Allow-Origin: <url>
>>> I don't think the angle brackets are necessary for forward compat,
>>> since we can just disallow spaces from the URL.
>>>
>>> - Maciej
>>>
>>>>
>>>> This would give us at least something for a forwards compatibility
>>>> story if we wanted to add to the syntax in future versions of the
>>>> spec. I really think we are being overly optimistic if we think that
>>>> the current syntax is the be-all end-all syntax that we'll ever want.
>>>>
>>>> For example during the meeting we talked about that banks might want
>>>> to enforce that the requesting site uses a certain level of
>>>> encryption, or even a certain certificate. A syntax for that might
>>> be:
>>>> Access-Control-Allow-Origin: origin <https://foo.com> encryption sha1
>>>>
>>>> Or that the site in question uses some opt-in XSS mitigation
>>>> technology (such as the one drafted by Brandon Sterns in a previous
>>>> thread in this WG). This could be done as
>>>>
>>>> Access-Control-Allow-Origin: origin <https://foo.com> require-xss-
>>>> protection
>>>>
>>>> So the formal syntax would be
>>>>
>>>> "Access-Control-Allow-Origin:" "<" ("*" | url) ">"
>>>>
>>>> / Jonas
>>>>
>>>> / Jonas
>>
>>
>
>